A basic problem with today's highly portable and mobile computers is how to identify a computer's current network location. As used herein, a “network location” of a computer or other device (e.g., a network device and/or user device) is the location of the device with respect to one or more communications networks. A network location of a device is not the same thing as the geographical or physical location of the device, although the network location may be indicative to some extent of the geographical or physical proximity of the device.
As used herein, a “network” is a group of two or more components interconnected by one or more segments of transmission media over which communications may be exchanged between the components. Each segment may be any of a plurality of types of transmission media, including one or more electrical or optical wires or cables made of metal and/or optical fiber, air (e.g., using wireless transmission over carrier waves) or any combination of these transmission media. As used herein, “plurality” means two or more. It should be appreciated that a network may be as simple as two components connected by a single wire, bus, wireless connection, or other type of segment. Further, it should be appreciated that when a network is illustrated in a drawing of this application as being connected to an element in the drawing, the connected element itself is considered part of the network.
As used herein, a “network device” is a device operative to communicate on a network, including, but not limited to: workstations, personal computers, terminals, laptop computers, end stations, user devices, servers, gateways, registers, switches, routers, hubs, bridges, directories, transmitters, receivers, repeaters, and any combinations thereof. As used herein, a “user device” is a network device from/to which a user may send/receive communications, and which may serve as an endpoint to communications on a communications network. User devices include, but are not limited to: workstations; personal computers (e.g., PCs); laptop computers, notebook computers; telephones (e.g., landline or mobile); pagers; Blackberry™ brand devices, PCS devices, personal digital assistants (PDAs), two-way radios (e.g., “walkie-talkies”), other types of user devices, and any suitable combination of the foregoing.
A network (e.g., any of networks 104, 106 and 108 described below) may be or include any of a variety of types of networks including, but not limited to, a local area network (LAN), a metropolitan area network (MAN), a wide-area network (WAN), a wireless network, a Public Land Mobile Network (PLMN), a Global System for Mobile Communications (GSM) network, a General Packet Radio Service (GPRS) network, a Universal Mobile Telecommunications System (UMTS) network, a Code-Division Multiple Access (CDMA) network, an optical network, a data network, an enterprise-wide network, a wireless personal area network (PAN), a home network, a telecommunications network, a public switched telephone network (PSTN), a broadband network, another type of network, or any suitable combination of the foregoing.
For a user device that is accessing one or more networks through a wireless transmission medium (e.g., using radio frequency (RF) technologies), the network location may be based on the identity of the AP (i.e., wireless access point such as, for example, a wireless router and/or WiFi AP) that provides the user device access to the one or more networks.
The network location of a user device has profound implications with respect to how the user device and its software will behave, particularly when the user device is accessing one or more networks through an AP using wireless technologies (e.g., WiFi/IEEE 802.11). Based on the network location of the user device and the type of network access implied by this network location, applications on the user device modify their behavior and expectation to better use whatever resources are available (bandwidth, local facilities such as printers, specific mode of communication, etc.). For example, applications can be configured to behave according to their network location as determined using Network Location Awareness (NLA) technologies available from Microsoft Corporation of Redmond, Wash. The network location of a user device has implications with respect to changes in three primary areas: trust; privacy; and security. There is more trust in the infrastructure available within a corporate or residential location than in an unfamiliar setting such as a public hotspot. With respect to privacy, it is well known that as a user device arrives at a new network location and attempts to discover the resources available, it volunteers sensitive information such as user name, usual server, buddy lists, etc. With respect to security, in some network locations, the user device's firewall rules may be relaxed or completely deactivated, while in other network locations they are activated to protect against the threats in unknown environments.
In home environments, for example, user devices may be configured to be able to share content within the local (typically wireless) network, to easily exchange pictures, music, videos, to easily set up media streams between different nodes and devices, to share printers and files, etc. In contrast, in a public hotspot environment, this functionality should be turned off, and the user device should operate in a much more closed and protected fashion. Thus, there is constant tension between functionality and security: at home the tradeoff is to enable richer functionality while retaining some secure posture, whereas the secure posture must be increased to a maximum in potentially hostile or unknown environments such as WiFi hotspots.
Because of these competing interests, it is imperative that the identification of a network location be reliable. For example, if an attacker succeeds in making a user device believe that the user device is in a familiar and well-known (e.g., “secure”) network location, the user device may relax its protection or leak more information than it should, increasing the possibility of attack. Network location is sometimes determined using malleable (i.e., spoofable) identifiers in the infrastructure. For example, an entity (e.g., an AP or other network device connected to a network or a mobile user device not connected to a network) could wirelessly communicate with a user device, identifying itself to the user device using the MAC address of an AP familiar to the user device, thereby gaining the trust of the user device. The user device then may proceed to share information with the entity not knowing that the entity is an impostor. Malleable identifiers like MAC addresses can be easily spoofed, which is an increasing cause for concern as the role of network location in determining application behavior grows.
In some cases, network location may be inferred from verifiable sources of information. For example, within a corporate site, it is usually possible to obtain such assurance cryptographically (e.g., by authenticating the Domain Controller, or the AAA infrastructure via an IEEE 802.1x exchange). However, in non-corporate environments, such as in residences, the network location is sometimes inferred via the aforementioned malleable identifiers.
Thus, a need exists for a more reliable way for a user device to identify its current network location and/or the identity of an AP in its vicinity, particularly when other security measures such as authentication are not available.